How small businesses in Asia can fight cybersecurity threats

Scott Zoldi of FICO provides advice on securing an organisation with limited resources.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

According to the Grant Thornton International Business Report, Asia Pacific businesses lost close to US$81.3 billion in revenue to cyber attacks. Some recent high profile attacks on Malaysian Airlines, SingPass and Standard Chartered show that even sophisticated enterprises can fall victim to criminals. However, while the most column inches are written about large public companies, the impact on small and midsize businesses (SMBs) of a data breach is even more devastating. In fact, more than 80% of breaches are estimated to occur to small businesses, which is troubling because they are for the large part the most vulnerable and the least aware. Furthermore, studies estimate that about half of small businesses close shop within six months of a cyber breach.

The cost of a cyber attack is not limited to the immediate theft or financial data loss but can also include compromise of private inter-company communications, customer lists, vendor contract details, and other confidential business information which can impact reputation and future income.

In a recent survey by FICO of fraud executives from leading banks across Asia, 25 percent of respondents believed that potential data breaches within small businesses present a threat to financial institutions. While some countries in the region have issued directives for businesses to put in place robust security systems to protect customer data, the general lack of laws on disclosure of security breaches means many attacks go unaccounted, making it hard for authorities to track and measure the severity of the problem. This gives perpetrators the confidence to keep repeating the same types of attacks, unconcerned about needing to change their methods.

Furthermore, in today's environment, small businesses are increasingly reliant on suppliers, third-party services, and amount of connected technology in their operations. This multiplies the number of potential threat vectors.

So, how do you secure an organisation with limited resources? The first priority is to not be an obvious target. 90% of attacks are associated with weaknesses in basic defenses, such as firewalls, default passwords, VPNs and double authentication. These simple steps ensure your business isn't noticeably insecure. I can't tell you how many times I've heard of companies' security passwords being "password" or the company's name. It shows how just a little extra effort can strengthen cyber defense considerably.

Secondly, if your business takes payment data and customer information then doing a Payment Card Industry (PCI) audit is critical. Businesses must always be PCI compliant, but in reality only a very small portion of small businesses in Asia are. This not only opens up the company to sizeable fines but also jeopardizes customer information and often results in significant damage costs after a breach. If you have data at rest, ensure that it meets PCI so that if cyber criminals breach you, any data they find will be useless. A more secure option is to look into outsourcing services to process and protect the financial transactions, so that they don't even touch your networks.